所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级
案例库

FAQ-USG2100两端均在内网如何实现IPSEC VPN?

发布时间:  2019-03-30  |   浏览次数:  200  |   下载次数:  0  |   作者:  zWX458682  |   文档编号: EKB1100010474

目录

问题描述

USG2100两端均在内网如何实现IPSEC VPN?

解决方案

一、设备清单

USG2100两台作为IPSEC设备,分别是IPSEC1IPSEC2;

USG5120BSR两台作为出口路由器,分别为NAT1NAT2;

USG5320一台作为Ineternet设备;

二、实现方式有三种

1、公司总部使用:IPSEC策略模板 预共享密钥 ESP

2、分支机构:IPSEC子策略 预共享密钥 ESP

三、配置思路

1. 基本配置,在所有设备上配置接口IP地址,将接口加入相应的安全区域, 开启域间策略允许所有能过,路由配置;

2. 配置NAT;

分别配置NAT SERVER NAT OUTBOUND;

3. 配置IPSEC1IPSEC2上的IPSec策略相关参数;

a. 配置IPSec安全提议。

b. 配置IKE安全提议。

c. 配置IKE Peer

d. 配置IPSec安全策略。

4. IPSEC1IPSEC2物理口上应用IPSec策略;

5. 结果验证;

四、网络参数规划

设备名称

序列号

端口

IP地址

NAT1

1

GigabitEthernet0/0/0

192.168.1.1/24

2

GigabitEthernet0/0/2

DHCP自动获得,模拟ADSL

NAT2

5

GigabitEthernet0/0/0

192.168.2.1

6

GigabitEthernet0/0/3

200.1.2.1

IPSEC1

3

Ethernet 0/0/0

192.168.1.2/24

4

Vlanif1

192.168.168.1/24

IPSEC2

7

Ethernet 0/0/0

192.168.2.2/24

8

Vlanif1

192.168.170.1/24

五、配置明细

基本配置

在所有设备上配置接口IP地址,将接口加入相应的安全区域,开启域间策略允许所有能过;

IPSEC1基本配置

[USG2100]sysname IPSEC1

[IPSEC1]interface Ethernet0/0/0

[IPSEC1-Ethernet0/0/0]ip address 192.168.1.2 24

[IPSEC1-Ethernet0/0/0]quit

[IPSEC1]interface Vlanif 1

[IPSEC1-Vlanif1]ip address 192.168.168.1 24

[IPSEC1-Vlanif1]quit

[IPSEC1]firewall zone untrust

[IPSEC1-zone-untrust]add interface Ethernet 0/0/0

//VLANIF 1默认就已经加入到Trust zone里面的

[IPSEC1-zone-untrust]quit

[IPSEC1] firewall packet-filter default permit all

[IPSEC1]ip route-static 0.0.0.0 0.0.0.0 192.168.1.1

NAT1基本配置

sys

13:42:15 2012/02/28

Enter system view, return user view with Ctrl Z.

[NAT1]interface GigabitEthernet 0/0/0

[NAT1-GigabitEthernet0/0/0]ip address 192.168.1.1 24

[NAT1-GigabitEthernet0/0/0]quit

[NAT1]dhcp enable

[NAT1]interface GigabitEthernet 0/0/2

[NAT1-GigabitEthernet0/0/2]dhcp client enable

[NAT1-GigabitEthernet0/0/2]quit

[NAT1]firewall zone trust

[NAT1-zone-trust]add interface GigabitEthernet 0/0/0

[NAT1-zone-trust]quit

[NAT1]firewall zone untrust

[NAT1-zone-untrust]add interface GigabitEthernet 0/0/2

[NAT1-zone-untrust]quit

[NAT1]nat-policy interzone trust untrust outbound

[NAT1-nat-policy-interzone-trust-untrust-outbound]policy 1

[NAT1-nat-policy-interzone-trust-untrust-outbound-1]action source-nat

[NAT1-nat-policy-interzone-trust-untrust-outbound-1]easy-ip GigabitEthernet 0/0/2

[NAT1]firewall packet-filter default permit all

[NAT1]ip route-static 200.1.2.0 255.255.255.0 200.1.1.2

[NAT1]ip route-static 192.168.168.0 255.255.255.0 192.168.1.2

NAT2基本配置

sys

13:42:15 2012/02/28

Enter system view, return user view with Ctrl Z.

[NAT2]interface GigabitEthernet 0/0/0

[NAT2-GigabitEthernet0/0/0]ip address 192.168.2.1 24

[NAT2-GigabitEthernet0/0/0]quit

[NAT2]interface GigabitEthernet 0/0/3

[NAT2-GigabitEthernet0/0/3]ip address 200.1.2.1 24

[NAT2-GigabitEthernet0/0/3]quit

[NAT2]firewall zone trust

[NAT2-zone-trust]add interface GigabitEthernet 0/0/0

[NAT2-zone-trust]quit

[NAT2]firewall zone untrust

[NAT2-zone-untrust]add interface GigabitEthernet 0/0/3

[NAT2-zone-untrust]quit

[NAT2]nat-policy interzone trust untrust outbound

[NAT2-nat-policy-interzone-trust-untrust-outbound]policy 1

[NAT2-nat-policy-interzone-trust-untrust-outbound-1]action source-nat

[NAT2-nat-policy-interzone-trust-untrust-outbound-1]easy-ip GigabitEthernet 0/0/3

[NAT2-nat-policy-interzone-trust-untrust-outbound-1]quit

[NAT2]nat server protocol udp global 200.1.2.1 4500 inside 192.168.2.2 4500

[NAT2]nat server protocol udp global 200.1.2.1 500 inside 192.168.2.2 500

[NAT2]nat server protocol 50 global 200.1.2.1 inside 192.168.2.2

------------Nat server在本实验中很重要的

50ESP的协议号;4500NAT穿越使用的端口号;500IPSEC使用的端口号

[NAT2]firewall packet-filter default permit all

[NAT2]ip route-static 200.1.1.0 255.255.255.0 200.1.2.2

[NAT2]ip route-static 192.168.170.0 255.255.255.0 192.168.2.2

IPSEC2基本配置

[USG2100]sysname IPSEC2

[IPSEC2]interface Ethernet0/0/0

[IPSEC2-Ethernet0/0/0]ip address 192.168.2.2 24

[IPSEC2-Ethernet0/0/0]quit

[IPSEC2]interface Vlanif 1

[IPSEC2-Vlanif1]ip address 192.168.170.1 24

[IPSEC2-Vlanif1]quit

[IPSEC2]firewall zone untrust

[IPSEC2-zone-untrust]add interface Ethernet 0/0/0

//VLANIF 1默认就已经加入到Trust zone里面的

[IPSEC2-zone-untrust]quit

[IPSEC2]firewall packet-filter default permit all

[IPSEC2]ip route-static 0.0.0.0 0.0.0.0 192.168.2.1

INTERNER基本配置

[USG5320]interface GigabitEthernet 0/0/1

[USG5320-GigabitEthernet0/0/1]ip add 200.1.2.2 24

[USG5320-GigabitEthernet0/0/1]quit

[USG5320]dhcp enable

[USG5320]interface GigabitEthernet 0/0/0

[USG5320-GigabitEthernet0/0/0]ip address 200.1.1.2 24

[USG5320-GigabitEthernet0/0/0]dhcp select interface

[USG5320-GigabitEthernet0/0/0]quit

[USG5320]firewall zone trust

[USG5320-zone-trust]add interface GigabitEthernet 0/0/0

[USG5320-zone-trust]quit

[USG5320]firewall zone untrust

[USG5320-zone-untrust]add interface GigabitEthernet 0/0/1

[USG5320-zone-untrust]quit

[USG5320]firewall packet-filter default permit all

路由连通性测式

NAT1ping NAT2 200.1.2.1

ping 200.1.2.1

14:21:36 2012/02/28

PING 200.1.2.1: 56 data bytes, press CTRL_C to break

Reply from 200.1.2.1: bytes=56 Sequence=1 ttl=254 time=1 ms

Reply from 200.1.2.1: bytes=56 Sequence=2 ttl=254 time=1 ms

Reply from 200.1.2.1: bytes=56 Sequence=3 ttl=254 time=1 ms

Reply from 200.1.2.1: bytes=56 Sequence=4 ttl=254 time=1 ms

Reply from 200.1.2.1: bytes=56 Sequence=5 ttl=254 time=1 ms

NAT1 ping IPSEC1 192.168.168.1

[NAT1]ping 192.168.168.1

14:28:30 2012/02/28

PING 192.168.168.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.168.1: bytes=56 Sequence=1 ttl=255 time=1 ms

Reply from 192.168.168.1: bytes=56 Sequence=2 ttl=255 time=1 ms

Reply from 192.168.168.1: bytes=56 Sequence=3 ttl=255 time=1 ms

Reply from 192.168.168.1: bytes=56 Sequence=4 ttl=255 time=1 ms

Reply from 192.168.168.1: bytes=56 Sequence=5 ttl=255 time=1 ms

NAT2 ping NAT1 200.1.1.1

[NAT2]ping 200.1.1.1

14:24:29 2012/02/28

PING 200.1.1.1: 56 data bytes, press CTRL_C to break

Reply from 200.1.1.1: bytes=56 Sequence=1 ttl=254 time=1 ms

Reply from 200.1.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms

Reply from 200.1.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms

Reply from 200.1.1.1: bytes=56 Sequence=4 ttl=254 time=1 ms

Reply from 200.1.1.1: bytes=56 Sequence=5 ttl=254 time=1 ms

NAT2ping IPSEC1的内网地址192.168.170.1

[NAT2]ping 192.168.170.1

14:30:38 2012/02/28

PING 192.168.170.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.170.1: bytes=56 Sequence=1 ttl=255 time=1 ms

Reply from 192.168.170.1: bytes=56 Sequence=2 ttl=255 time=1 ms

Reply from 192.168.170.1: bytes=56 Sequence=3 ttl=255 time=1 ms

Reply from 192.168.170.1: bytes=56 Sequence=4 ttl=255 time=1 ms

Reply from 192.168.170.1: bytes=56 Sequence=5 ttl=255 time=1 ms

--- 192.168.170.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 1/1/1 ms

配置IPSEC1IPSEC2上的IPSec策略相关参数。

配置IPSec安全提议。

IPSEC1

[IPSEC1]ipsec proposal aa

IPSEC2

[IPSEC2]ipsec proposal bb

说明:在这里使用默认参数

配置IKE安全提议。

IPSEC1

[IPSEC1]ike proposal 10

IPSEC2

[IPSEC2]ike proposal 10

说明:在这里使用默认参数

配置IKE Peer

IPSEC1

[IPSEC1]ike local-name IPSEC1

[IPSEC1]ike peer aa

[IPSEC1-ike-peer-aa]exchange-mode aggressive

[IPSEC1-ike-peer-aa]local-id-type name

[IPSEC1-ike-peer-aa]ike-proposal 10

[IPSEC1-ike-peer-aa]local-id-type name

[IPSEC1-ike-peer-aa]remote-name IPSEC2

[IPSEC1-ike-peer-aa]remote-address 200.1.2.1

[IPSEC1-ike-peer-aa]nat traversal

IPSEC2

[IPSEC2]ike local-name IPSEC2

[IPSEC2-ike-peer-bb] exchange-mode aggressive

[IPSEC2-ike-peer-bb]pre-shared-key abcde

[IPSEC2-ike-peer-bb]ike-proposal 10

[IPSEC2-ike-peer-bb]local-id-type name

[IPSEC2-ike-peer-bb]remote-name IPSEC1

[IPSEC1-ike-peer-aa]nat traversal

配置IPSec安全策略

IPSEC1

[IPSEC1]acl 3000

[IPSEC1-acl-adv-3000]rule permit ip source 192.168.168.0 0.0.0.255 destination 192.168.170.0 0.0.0.255

[IPSEC1]ipsec policy map 10 isakmp

[IPSEC1-ipsec-policy-isakmp-map-10] security acl 3000

[IPSEC1-ipsec-policy-isakmp-map-10] ike-peer aa

[IPSEC1-ipsec-policy-isakmp-map-10] proposal aa

ISPEC2

[IPSEC2]acl 3000

[IPSEC2-acl-adv-3000] rule permit ip source 192.168.170.0 0.0.0.255 destination 192.168.168.0 0.0.0.255

[IPSEC2] ipsec policy-template map1 10

[IPSEC2-ipsec-policy-templet-map1-10] security acl 3000

[IPSEC2-ipsec-policy-templet-map1-10] ike-peer bb

[IPSEC2-ipsec-policy-templet-map1-10] proposal bb

[IPSEC2-ipsec-policy-templet-map1-10]quit

[IPSEC2]ipsec policy map 10 isakmp template map1

IPSEC1IPSEC2物理口上应用IPSec策略。

IPSEC1

[IPSEC1]interface Ethernet0/0/0

[IPSEC1-Ethernet0/0/0]ipsec policy map

08:07:03 2012/02/28

#2012-02-28 08:07:03 0 IPSEC1 IPSEC/4/IPSECPOLICYATTACH:1.3.6.1.4.1.2011.6.122.26.6.5 an IPSec policy is applied to an interface. (IfIndex=386, PolicyName=map)

IPSEC2

[IPSEC2]interface Ethernet0/0/0

[IPSEC2-Ethernet0/0/0]ipsec policy map

08:07:03 2012/02/28

#2012-02-28 08:07:03 0 IPSEC1 IPSEC/4/IPSECPOLICYATTACH:1.3.6.1.4.1.2011.6.122.26.6.5 an IPSec policy is applied to an interface. (IfIndex=386, PolicyName=map)

结果验证

ping

先从发起端向中心端发起访问,

ping -a 192.168.168.1 192.168.170.1

08:49:01 2012/02/28

PING 192.168.170.1: 56 data bytes, press CTRL_C to break

#2012-02-28 08:49:02 0 IPSEC1 IPSEC/4/IPSECTUNNELSTART:1.3.6.1.4.1.2011.6.122.26.6.1 the IPSec tunnel is established. (Ifindex=386, SeqNum=10, TunnelIndex=129, RuleNum=5, DstIP=200.1.2.1, InsideIP=0.0.0.0, RemotePort=4500, CpuID=0, SrcIP=192.168.1.2, LifeSize=1843200, LifeTime=3600)

Request time out

Reply from 192.168.170.1: bytes=56 Sequence=2 ttl=255 time=1 ms

Reply from 192.168.170.1: bytes=56 Sequence=3 ttl=255 time=1 ms

Reply from 192.168.170.1: bytes=56 Sequence=4 ttl=255 time=1 ms

Reply from 192.168.170.1: bytes=56 Sequence=5 ttl=255 time=1 ms

--- 192.168.170.1 ping statistics ---

5 packet(s) transmitted

4 packet(s) received

20.00% packet loss

round-trip min/avg/max = 1/1/1 ms

查看IKE SA

IPSEC1

dis ike sa

12:21:51 2012/02/28

current ike sa number: 2

---------------------------------------------------------------------

connection-id peer vpn flag phase doi

--------------------------------------------------------------------

0x17 200.1.2.1:1194 0 RD|ST v2:2 IPSEC

0x16 200.1.2.1:1194 0 RD|ST v2:1 IPSEC

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING

TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD

IPSEC2

dis ike sa

20:27:06 2012/02/28

current ike sa number: 2

---------------------------------------------------------------------

connection-id peer vpn flag phase doi

--------------------------------------------------------------------

0x17 200.1.1.1:0804 0 RD v2:2 IPSEC

0x16 200.1.1.1:0804 0 RD v2:1 IPSEC

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING

TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD

查看IPSEC SA

IPSEC1

dis ipsec sa

12:23:49 2012/02/28

===============================

Interface: Ethernet0/0/0

path MTU: 1500

===============================

-----------------------------

IPsec policy name: "map"

sequence number: 10

mode: isakmp

vpn: 0

-----------------------------

connection id: 23

rule number: 5

encapsulation mode: tunnel

holding time: 0d 0h 6m 6s

tunnel local : 192.168.1.2 tunnel remote: 200.1.2.1

flow source: 192.168.168.0-192.168.168.255 0-65535 0

flow destination: 192.168.170.0-192.168.170.255 0-65535 0

[inbound ESP SAs]

spi: 123207260 (0x757fe5c)

vpn: 0 said: 24 cpuid: 0x0000

proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

sa remaining key duration (bytes/sec): 1887436464/3234

max received sequence-number: 4

udp encapsulation used for nat traversal: Y

[outbound ESP SAs]

spi: 242336400 (0xe71c290)

vpn: 0 said: 25 cpuid: 0x0000

proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

sa remaining key duration (bytes/sec): 1887436464/3234

max sent sequence-number: 5

udp encapsulation used for nat traversal: Y

IPSEC2

dis ipsec sa

20:28:38 2012/02/28

===============================

Interface: Ethernet0/0/0

path MTU: 1500

===============================

-----------------------------

IPsec policy name: "map"

sequence number: 10

mode: template

vpn: 0

-----------------------------

connection id: 23

rule number: 65535

encapsulation mode: tunnel

holding time: 0d 0h 6m 46s

tunnel local : 192.168.2.2 tunnel remote: 200.1.1.1

flow source: 192.168.170.0-192.168.170.255 0-65535 0

flow destination: 192.168.168.0-192.168.168.255 0-65535 0

[inbound ESP SAs]

spi: 242336400 (0xe71c290)

vpn: 0 said: 24 cpuid: 0x0000

proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

sa remaining key duration (bytes/sec): 1887436464/3194

max received sequence-number: 4

udp encapsulation used for nat traversal: Y

[outbound ESP SAs]

spi: 123207260 (0x757fe5c)

vpn: 0 said: 25 cpuid: 0x0000

proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5

sa remaining key duration (bytes/sec): 1887436464/3194

max sent sequence-number: 5

udp encapsulation used for nat traversal: Y